Corrected: UPDATE 2-Toymaker VTech hit by largest-ever hack targeting kids

VTech Holdings

02/12/2015 03:30

(Corrects quote in 4th paragraph to read "...is troubling" 
instead of "...is disturbing") 
    By Jim Finkle 
    Dec 1 (Reuters) - A cyber attack on digital toymaker VTech 
Holdings Ltd  0303.HK  exposed the data of 6.4 million children, 
the company said on Tuesday, in what experts called the largest 
known hack targeting youngsters. 
    The Hong Kong-based firm said the attack on databases for 
its Learning Lodge app store and Kid Connect messaging system 
affected even more kids than the 4.9 million adults that the 
company disclosed on Friday. 
    Security experts said they expected the size of the breach 
would prompt governments to scrutinize VTech and other toymakers 
to review their security. 
    "The disclosure of the scope of the breach is troubling," 
said Jaclyn Falkowski, a spokeswoman for Connecticut's attorney 
general. 
    Connecticut and Illinois said on Monday they plan to 
investigate the breach. Regulators in Hong Kong are also looking 
into the matter.  urn:newsml:reuters.com:*:nL3N13P138 
    "This breach is a parent's nightmare of epic proportions," 
said Seth Chromick, a threat analyst with network security firm 
vArmour. "A different approach to security for all organizations 
is needed." 
    Chris Wysopal, co-founder of cyber security firm Veracode, 
said it could be a wake up call for families in the same way 
that the hack on infidelity website Ashley Madison earlier this 
year made adults realize online data might not be safe. 
    VTech said in a statement that children's profiles included 
name, gender and birth date. Stolen adult data included name, 
mailing address, email address, password retrieval questions, IP 
address and passwords. (http://(bit.ly/1LM1RMQ) 
    The most VTech customers affected were in the United States, 
followed by France, the United Kingdom, Germany, Canada, Spain, 
Belgium and the Netherlands. 
    Shai Samet, a security expert who audits toymakers for 
compliance with the U.S. government's Children's Online Privacy 
Protection Act, said he believed the case would lead many toy 
companies to "rethink" security protections on children's data. 
    Technology news site Motherboard, which broke news of the 
breach last week, reported that the person who claimed 
responsibility for the hack said "nothing" would be done with 
the stolen information. (http://bit.ly/1Ifc5ut) 
    Security experts were skeptical, noting that the stolen data 
could be worth millions of dollars. 
    "I wouldn't trust him," said Troy Hunt, a security expert 
who reviewed samples of stolen data and information about the 
attack for Motherboard. 
    Justin Harvey, chief security officer with Fidelis 
Cybersecurity, said stolen records sell for $1 to $4 in 
underground markets. 
 
 (Reporting by Jim Finkle; Editing by Bernard Orr and Richard 
Chang) 
 ((jim.finkle@thomsonreuters.com; +1-617-856-4344; Reuters 
Messaging: jim.finkle.thomsonreuters.com@reuters.us)) 
 
Keywords: VTECH CYBERATTACK/